Subscription to the full report on a daily basis can be obtained:
Send an eMail to dhsdailyadmin@mail.dhs.osis.gov with the subject "DHS Daily Open Source Infrastructure Report" and the following line in the body...subscribe.
To obtain a complete copy of the current report proceed to the DHS link below.
To obtain reports more than 10 business days old, send an eMail to DHS_Reports@e-computer-security.com. Be specific as to the reports you wish to receive.

Monday, December 31, 2007Daily Report

• The Vail Daily reported that a train carrying quicklime, a chemical used in fertilizer, derailed and spilled its load in a remote part of Eagle County, Colorado. When mixed with water, quicklime turns to a vapor that can irritate skin and eyes. There were no reports of injuries and the spill will not harm the water supply. (See items 3)

• According to Reuters, U.S. regulators have issued a public health alert for about 14,800 pounds of missing ground beef products that may be contaminated with the potentially deadly E. coli bacteria. The USDA issued the alert after a trailer containing the ground beef was reported stolen by Texas American Food Service Corporation. (See item 14)

Information Technology

20. December 28, Security Products Online – (National) ITRC reports on ID theft in ‘07, predictions for ‘08. At the end of each year, the Identity Theft Resource Center reviews identity theft trends and patterns throughout the year. It examines the new directions this crime appears to be taking. The basis of this information includes: victims and their experiences, ITRC’s expertise, and data from law enforcement on the ways criminals are stealing and using personal identifying information and financial records. Among the issues the ITRC found in reviewing 2007: check schemes are increasing as credit issuers make it more difficult to get credit without authentication, identity thieves continue to exploit Web sites that promote online auctions and want ads, job hunting, dating and social networking to find victims, and the failure to believe someone could steal your identity generates apathy, therefore, individuals fail to take proactive steps to minimize risk. The ITRC also predicted that in 2008 identity theft will continue to grow more international in scope. Scams will become more sophisticated and will be harder to detect, as thieves become more industrious and skilled at designing viruses, Trojans, and ways to trick you into divulging personal identifying information. On the positive side, ITRC believes that businesses will develop and implement better ways to authenticate the identity of applicants including Internet and telephone applications, and that there will be a higher recognition of identity theft as a crime by law enforcement.

21. December 27, SC Magazine U.S. – (National) NIST may urge federal agencies to conduct penetration attacks. In the final draft of its upcoming security guidelines for protecting federal information systems, the National Institute of Standards and Technology (NIST) is recommending that federal agencies conduct regular penetration tests to determine whether their networks can be breached. The NIST draft guidelines, which will be published next March, suggest that federal agencies “should consider adding controlled penetration testing to their arsenal of tools and techniques used to assess the security controls” in their information systems. NIST recommends that government agencies train selected personnel in penetration testing tools and techniques, which should be updated on a regular basis to address newly-discovered exploitable vulnerabilities. The guidelines also express a preference for the use of automated penetration tools and say that special consideration should be given to penetration tests on newly developed information systems before it is authorized for operation, on any legacy system undergoing a major upgrade, or “when a new type of attack is discovered that may impact the system,” according to the draft of the NIST guidelines. The guidelines, which will be finalized at the end of January and published in March 2008 as the Guide for Assessing Security Controls in Federal Information Systems, detail comprehensive security control assessment procedures federal agencies should follow to protect their information systems. The draft was produced at the Computer Security Division of NIST’s Information Technology Laboratory.

22. December 27, San Jose Mercury News – (National) Experts fail government on cybersecurity. Since the outbreak of a cybercrime epidemic that has cost the American economy billions of dollars, the federal government has failed to respond with enough resources, attention, and determination to combat the cyberthreat, a San Jose Mercury News investigation reveals. “The U.S. government has not devoted the leadership and energy that this issue needs,” said a former administration homeland and cybersecurity adviser. Even as the White House asked in November for $154 million toward a new cybersecurity initiative expected to reach billions of dollars over the next several years, security experts complain the administration remains too focused on the risks of online espionage and information warfare, overlooking international criminals who are stealing a fortune through the Internet. The difficulties are systemic and widespread, and include limited resources, fractured responsibility, and an unfamiliar threat.

23. December 27, Boston Globe – (Massachusetts) Tunnels ready for cellphones. Passengers riding the T in tunnels underneath downtown Boston will now be able to chat on their cellphones, text-message their friends, or use hand-held devices to e-mail their bosses from platforms and underground tunnels in and around four of the MBTA’s busiest stations. Yesterday, AT&T became the third cellphone provider to offer a signal underground. T-Mobile and Verizon both connected their networks earlier this month, but without any announcement from the T, many customers were not aware they could use their phones. The service is currently being offered in Downtown Crossing, Government Center, State, and Park Street stations, and all the tunnels in between. Expansion to other stations and tunnels is expected as cellphone service providers see demand and are willing to pay for the connection. The nation’s subways have been slow to introduce cellphone service, in large part because carriers have not wanted to spend the money to wire tunnels. The Massachusetts Bay Transportation Authority has tried to get cellphone service into the system for most of this decade; an earlier deal fell through when companies balked at the high cost of wiring the entire T.

• The New York Daily News reported that a special task force deemed all of the state’s 49 deck truss bridges safe to traverse despite finding cracked beams, deteriorating concrete and missing bolts on 20 of the inspected spans. The study by the state Bridge Task Force found flaws in four key spans in New York City, including decaying steel beams and crumbling decks on the Brooklyn Bridge. Officials said none of the flaws pose an immediate threat and all are fixable. (See items 8)

• According to City Pages, despite an overall decrease in the number of tuberculosis infections nationwide in recent years, Minnesota’s rate increased 9 percent between 2005 and 2006. Many cases involve drug-resistant TB. Officials say 82 to 85 percent of TB in Minnesota is diagnosed in foreign-born people, and local doctors are reluctant to sound the alarm too loudly for fear of stirring up anti-immigrant backlash. (See item 16)

Information Technology

20. December 27, Computerworld – (National) Storm switches tactics third time, adds rootkit. The ongoing Storm Trojan attack that began Monday has morphed again, security researchers said today, changing the malicious file’s name, shifting to new malware hosting servers, and adding a rootkit to cloak the bot code from anti-virus software. Spam messages attempting to dupe users into installing the bot-making Trojan now include links happycards2008.com or newyearcards2008.com, different URLs than in the second-wave attack that began Christmas Day. According to analysts at the SANS Institute’s Internet Storm Center (ISC) and U.K.-based Prevx Ltd., the name of the file users are asked to download has also changed from Tuesday's “happy2008.exe.” The file being shilled today is tagged to “happynewyear.exe.” More important is the behind-the scenes addition of a rootkit to the versions of Storm now being seeded to infected machines, said researchers. Several researchers have posted analyses of Storms cloaking attempt. “[Storm now has] better hiding skills, no visible running processes, nastiness all hidden from the API (can you say rootkit?),” said one. Fortunately, said another, the rootkit is relatively old, and thus detectable by at least some security software. Neither is the move by Storm’s makers to hide its components and operations from anti-virus programs a new thing: the Trojan began using rootkits months ago. According to WHOIS look-ups, both the happycards2008.com and newyearcards2008.com domains were registered with a Russian domain registrar named RUcenter only yesterday; the listed contact for the two domains is based in Los Angeles, but the contact phone number gave only a constant busy signal. Since the newest Storm attack began on Monday with spam touting Christmas-themed strippers, the code has repacked hundreds of times, a trick malware authors use to deceive signature-based antivirus software. Prevx, said its researcher, has already detected more than 400 variants of the version now in circulation.

21. December 26, Computerworld – (National) Pump-and-dump scam spam switches on video. Pump-and-dump stock scammers have begun spiking their spam with highquality video clips -- the latest move in a long-running scheme that in the past has relied on image files, PDF documents and even robotic audio to dupe consumers, a security company said today. Symantec Corp. said on Monday that it had snared samples of pump-and-dump spam that linked to a high-definition video stream hyping a uranium exploration firm’s stock. “The online video streaming is about 30 seconds long, with very crisp and clear sound, and the video quality is very impressive,” noted a Symantec analyst, on the security vendor’s blog. Some of the video clips even include phony “financial analysts” who talk up the stock with a just-as-bogus “host” of a no-name stock-tip program. The spam’s copy appears to tout the stock of Wave Uranium Holding, a Las Vegas-based company that says it has uranium claims in Arizona and other mining rights in Utah. Wave Uranium’s stock is traded on the Over The Counter Bulletin Board exchange, which deals with low-priced, low-volume shares. Other spam caught in Symantec’s honeypots took a different approach that used previously poisoned video search engines. “This e-mail directs the user to key words (tags) from the spam sample message,” said the researcher. “The tags are then inserted into popular video search engines and usually come up with many video records uploaded with the same or similar description of the penny stock that spammers wish to promote.” Among the tags touted in the spam were “hot stock,” “madcap” and “pinksheet.” Pump-and-dump scams have plagued consumers’ in-boxes all year, with messages that have included image files, synthesized speech, PDF documents and Microsoft Excel spreadsheets to evade antispam filters. The schemes can be extremely profitable. In September, for instance, federal authorities announced that a group of stock scammers had pleaded guilty to multiple fraud counts only after they had bilked investors of over $20 million.

22. December 26, Chicago Tribune – (National) TV group sees dark time if white space opened up. When a Dallas TV station started transmitting digital signals a decade ago, five dozen wireless heart monitors at Baylor University quit working. Baylor got different monitors, and no patients were harmed, but it is a story that the executive vice president of the National Association of Broadcasters still tells to argue against allowing electronic devices to operate on vacant TV channels. “That was an unforeseen circumstance,” he said. “It shows how predictions of the way things will work don’t always come true in the real world.” The nation’s TV broadcasters are fighting Google, Microsoft and other high-tech firms that want to use vacant TV channels to carry highspeed data for a new generation of gadgets. Called “white space,” over-the-air channels like 6 and 8 in Chicago are left vacant to prevent signals broadcast on Channels 5, 7 and 9 from interfering with one another. But new digital technology and smart radios that sense whether broadcast channels are being used should enable low-power devices to use vacant channels without hurting TV reception, Internet-oriented executives argue. Utilizing white-space channels will provide consumers with more affordable ways to access the Internet and encourage innovators to make nifty new wireless gizmos, said the director of government relations for the Information Technology Industry Council. This would be especially useful in rural areas where high-speed Internet connections are scarce and vacant TV channels plentiful, he said. Once America’s TV broadcasters switch from analog to all-digital transmissions in February 2009, white-space channels should be open to unlicensed portable devices, he said. Broadcaster arguments that smart radios cannot use white space without causing TV interference are off the mark, said the vice president of the New America Foundation. For example, one segment of radio spectrum controlled by the Department of Defense for radar transmissions is open to sharing with unlicensed devices in much the same way proposed for TV white space, he said. This month, the UK approved a digital TV white-space sharing plan similar to the one at the FCC.

• WSMV 4 in Nashville reports that water found in old uranium-processing equipment at the K-25 site created a nuclear safety scare earlier this month and temporarily halted work to decommission the World War II-era facility. The water was a concern because it can serve as a moderator for nuclear reactions, and the old process systems contain deposits of enriched uranium – a material capable of nuclear fission under certain circumstances. (See item 5)

• According to CommwebNews.com, the profile of computer hackers is changing. Hackers are no longer loners; rather they have their own community and social networks, and the ability to share tactics and methods. Moreover, more women and girls are becoming involved in hacking. One explanation for the changes may be that malicious hacking in the name of nationalism is tolerated, or even encouraged, in some countries. (See item 22)

Information Technology

21. December 26, Computerworld – (National) Storm botnet drops strippers, switches to New Year’s greeting. Just a day after unleashing spam featuring Christmas strippers, the Storm botnet switched gears yesterday and began duping users into infecting their own PCs by bombarding them with messages touting the new year, said security researchers. According to U.K.-based Prevx Ltd. and Symantec Corp. in Cupertino, California, the botnet of Storm Trojan-compromised computers started sending spam with subject headings such as “Happy 2008!” and “Happy New Year!” late on Christmas Day. The messages try to persuade recipients to steer for the Uhavepostcard.com Web site to download and install a file tagged “happy2008.exe,” said researchers at both firms. However, the file is actually a new variant of the Storm Trojan. A Prevx representative reported that the company had seen two general variants by early Wednesday. “The first has been online for about 10 hours, and we’ve seen 166 different repacked versions of it,” he said in a company blog. The Storm code has been repacked every few minutes using a polymorphic-like technique since Monday, when the botnet started spreading stripper spam. Frequent repacking is a trick malware authors use to deceive signature-based antivirus software. The Storm botnet’s herders are also using fast-flux DNS (Domain Name System) tactics to keep the Uhavepostcard.com site operational, said Symantec. Fast flux, which the Storm botnet did not originate but has often used, is another antisecurity strategy; it involves rapidly registering and deregistering addresses as part of the address list for either a single DNS server or an entire DNS zone. In both cases, the strategy masks the IP address of the malware site by hiding it behind an ever-changing array of compromised machines acting as proxies. The notorious Russian Business Network malware hosting network has become infamous for using fast flux to hide the Internet location of its servers, making it difficult for security researchers, Internet service providers or law enforcement officials to track the group’s cybercrimes.

22. December 26, CommwebNews.com – (International) Profile of computer hackers changing. Most people involved in computer crimes are nameless and faceless to the organizations they attack, with the obvious exception of insiders. A few become known as a consequence of getting caught. But what is notable about these young men and other cybercriminals is not so much their identities as their community. “I don’t think the hacker is a loner anymore,” said a senior security researcher at SecureWorks. “People that author malware feel like they have their own community now, their own social circles. They have their own social networks.” Cybercriminals today have plenty of support for their attacks and scams. They can buy automated attack kits or information about undiscovered exploits. They can rent botnets -- groups of compromised computers -- to spam, steal personal data, or conduct denial-of-service attacks. Their questions about breaking into other people’s computers can be answered through IRC chats or Web forums. They are part of a thriving underground economy that is expected to grow in 2008. And as cybercrime becomes an even bigger business, the profile of the cybercriminals is broadening beyond young men with computer skills. The researcher said cybercriminals still appear to be predominantly male, “but we see a lot more women and girls involved in hacking.” One explanation for that may be that malicious hacking in the name of nationalism is tolerated, or even encouraged, in some parts of the world. “I’ve been really amazed at the way people defend their actions,” the SecureWorks researcher continued, “I’ve had people argue that it’s not a bad thing.” He recounted an article he had translated from a small-town Russian newspaper that lauded two local hackers for sticking it to “those Capitalists.” Russian nationalism appears to be the motivation behind the massive distributed denial-of-service attack that hit Estonia in April. Attacks traced to China are also often attributed to nationalism. But more often than not, the real motivation is money.

23. December 26, BetaNews – (International) Russia launches GPS-like satellites on Christmas Day. While most nations sat practically still during the traditional late December lull, Russia sent the rest of the world a present on Christmas Day by shooting the last three of its GPS (Global Position System)-compatible GLONASS (Global Navigation Satellite System) satellites into space. Although the 24 satellites in the GLONASS system will be used mostly by the Russians for military tracking, GLONASS is supposedly interoperable with the United States’ GPS -- a navigational and mapping system which is utilized heavily for both military and civilian purposes -- and the still emerging Galileo system of the European Union. With the expansion of GLONASS, the Russians want to boost the high tech sector of their economy, too – and it looks as though they will add other civilian applications, as well. GLONASS already works over most of Russia, providing an instant fix of position once the satellites are located. Russia’s plans call for global coverage by the end of 2009, after all 28 satellites in the system are fully functional. GLONASS replaces Tsikada, a previous satellite system launched back in the days of the former Soviet Union. Tsikada took from one to two hours to calculate a position. GLONASS encountered delays with the floundering of the Russian economy during the late 1990s. But with abundant new government funding, it is now expected to be fully ready ahead of Europe’s Galileo. According to Russian officials, GLONASS will be used mostly alongside the U.S. GPS system. The U.S. GPS system, however, can be switched off for civilian subscribers by the U.S. government. The U.S. did just that during recent military exercises in Iraq, for example. The ground control segment of GLONASS is reportedly located entirely within the territory of the former Soviet Union.

• The Associated Press reports that a Southwest Airlines flight had to make an emergency landing in Omaha, Nebraska, after a person who missed the flight allegedly made a bomb threat. The passenger, who missed the flight, made a statement about a bag and then made a bomb threat specific to Flight 1018. (See item 14)

• According to the Bridgetown News, a bomb threat at Cumberland County Courthouse in New Jersey caused an evacuation Thursday afternoon, and all afternoon proceedings were canceled. Bomb-sniffing dogs had searched half of the building and found nothing

suspicious. (See item 29)

Information Technology

33. December 22, New Scientist Tech – (National) Wi-Fi routers are vulnerable to viruses. The viral infection that began in Cambridge, Massachusetts, somewhere between MIT and Harvard University, failed to cross the Charles River into Boston; in California, the San Francisco Bay stymied a similar attack. This was not a biological infection, but the first simulation of an airborne computer virus. It spread by hopping between wireless routers, which are more susceptible to viruses than computers, said a representative of Indiana University in Bloomington. “We forget that routers are minicomputers. They have memory, they are networked and they are programmable.” And since they are not scanned for viruses, or protected by existing firewalls, they are easy targets. He knows of no actual router viruses, but says such a virus could steal creditcard numbers, make the router send out spam and block incoming security patches. Routers close enough together to communicate — less than 100 meters apart — could act as a vast network for viruses. Although routers do not usually communicate with each other, it would be easy enough for malicious hackers to use a virus to switch on that capability if the router’s encryption system were weak, he said.

34. December 21, IDG News – (International) Russians close to prosecuting ‘Pinch’ Trojan authors. Russia may soon prosecute the authors of the “Pinch” Trojan, an easyto- use malicious software program available on the Internet that steals a variety of data. The head of Russia’s Federal Security Services said earlier this week that Pinch’s authors had been identified and would be taken to court, according to a blog posting by Russian security vendor Kaspersky Lab. Kaspersky said the arrest of the Pinch writers would be on the same level as the 2005 prosecution of a German man for creating the NetSky and Sasser worms, which caused thousands of infected computers to crash worldwide. With Pinch, “it’s impossible to estimate what financial losses have been caused over the years since this Trojan first saw the light of day,” Kaspersky said. Pinch’s sellers would customize the program for buyers and offer support, illustrating a growing underground economy for hacking tools, Kaspersky said. Thousands of versions of Pinch, which comes in Russian and English language versions, are still circulating on the Internet. Kaspersky said its security software can detect some 4,000 variants of Pinch, where the basic code is the same but aspects of the program have been modified in order to evade detection by security software. Pinch has a highly developed user interface that can be used for sorting information it steals off other computers, according to F-Secure. It can steal e-mail account passwords, pilfer other password information stored in the Internet Explorer, Firefox and Opera browsers, and snap screenshots. That stolen information can also be encrypted before it is sent back to the hacker, according to Panda Security, another security vendor. Pinch could also be customized to have the victimized computer join a botnet, or a network of computers set up to hide other malicious activity by the hacker. Botnets are often used to send spam or mount other hacking attacks.

35. December 21, vnunet.com – (International) Orkut worm hits 700,000 users. A fastmoving worm has infected more than 700,000 users on Google’s Orkut social network in just 24 hours. The Portuguese language attack exploited a vulnerability in Orkut’s scrapbook feature to post malicious JavaScript code on a user’s page. On viewing the scrapbook post, the code performed the exploit and downloaded a .js file to the user’s machine. The worm then took control of the user’s account, sending out copies of itself to all of the user’s friends and joining a group called ‘Infectados pelo Vírus do Orkut,’ which translates as ‘Infected by Orkut virus.’ The worm does not appear to download any other malicious programs. Security experts said yesterday that the malicious code has been removed from users’ pages and the worm has been taken offline. A Symantec researcher said that, although the attack was largely benevolent, it is worrisome because it was launched simply by loading the user’s Orkut profile. “This worm illustrates how a simple script injection exploit could affect a large social networking site,” he wrote in a company blog. “This worm could have been used for other malicious purposes, such as stealing cookies, exploiting other vulnerabilities or stealing sensitive data.”

36. December 21, Computerworld – (National) Microsoft automates IE crash snafu workaround. Microsoft Corp. posted an automated fix late yesterday for a week-old crippling problem with Internet Explorer, replacing a registry hack it had offered Wednesday. The new 476KB work-around can be downloaded manually from Microsoft’s Web site, and will be pushed to users via Windows Update as well, according to the company. “It has also been made available via Windows Update andAutomatic Update for all Internet Explorer 6 customers on Windows XP Service Pack 2,” said the IE program manager at Microsoft’s Security Response Center (MSRC), in an entry on the center’s blog yesterday. The work-around came more than a week after users installed Security Update MS07-069 on December 11, and immediately began reporting that they were unable to connect to the Internet with IE or that the browser kept crashing. MS07-069, one of seven bulletins issued that day, fixed four critical vulnerabilities in IE 5.01, IE6 and IE7. On Wednesday, Microsoft acknowledged the problem and posted work-around instructions that required users to edit the Windows registry, a chore beyond most users. Microsoft has also revised the pertinent support document, originally posted Wednesday, to note the availability of the automated workaround, and marked up the MS07-069 security bulletin of December 11 to warn users of the problem.

• The Daily Reporter-Herald reports that about 600 people were evacuated from Agilent Technologies and five taken to the hospital after a cleaning chemical was spilled Wednesday morning. No one was seriously injured, and all five were later released from the hospital.(See item 5)

• According to the Boston Globe, a recently released criticizes Massachusetts for being just one of seven states that have not bought a single dose of drugs to combat a global influenza epidemic and for failing to ensure that its state laboratory has enough capacity to test for dangerous germs during health emergencies. (See item 22)

Information Technology

27. December 20, SearchSecuirty.com – (National) Critical Virus spreads on Google’s Orkut network. About 400,000 members of Google’s Orkut social network have been the victims of a spam barrage spreading the W32/KutWormor virus. The virus is hidden in a spam message containing a New Year’s greeting in Portuguese. Once infected, the virus spreads using hidden JavaScript and Flash code by sending the same message to connected Orkut members. It also adds the victim to an Orkut community group called “Infected by Orkut Virus.” Meanwhile, analysts with security vendor BitDefender have detected a new Trojan that hijacks Google text advertisements, replacing them with ads from a different provider. Trojan.Qhost.WU modifies the infected computer’s hosts file. The modified file contains a line of code that causes the browser to read ads from a server at the given replacement address rather than from Google. “This is a serious situation that damages users and Webmasters alike,” said a BitDefender virus analyst, in a statement. “Users are affected because the advertisements and/or the linked sites may contain malicious code, which is a very likely situation, given that they are promoted using malware in the first place. Webmasters are affected because the Trojan takes away viewers and thus a possible money source from their websites.”

28. December 19, SearchSecuirty.com – (National) Critical security patch for Adobe Flash Player. Adobe Systems Inc. released a massive security update Tuesday to address multiple flaws in its popular Adobe Flash Player. Danish vulnerability clearinghouse Secunia, which outlined 10 vulnerabilities in an advisory, called the flaws “highly critical” and warned that attackers could exploit the flaws to hijack targeted machines and gain extra user privileges, bypass security restrictions, launch cross-site scripting attacks, disclose sensitive data, and cause a denial of service. Adobe Flash Player is a multimedia application used with Microsoft Windows, Mozilla, and Apple platforms. Adobe said in its APSB07-20 security advisory that the flaws affect Adobe Flash Player 9.0.48.0 and earlier, 8.0.35.0 and earlier, and 7.0.70.0 and earlier on all platforms. The vendor recommended users update to version 9.0.115.0. For Secunia’s advisory, please see: http://secunia.com/advisories/28161/.

29. December 19, RCR Wireless News – (National) WiMAX certification lab opens. The WiMAX Forum has opened its first, and lead, lab to formally test and evaluate mobile WiMAX products for certification. With the lab now open for submissions, certified mobile WiMAX products are projected to hit the commercial market in the coming months. The vice president of marketing at the WiMAX Forum said that these “certifications will lead to an explosion of services and commercial availability in 2008.” The forum is anticipating a two- to three-month timeline for each device’s certification. Everything from base stations to feature-rich devices will be tested for interoperability, power control, minimum uplink and downlink speeds, and numerous other parameters defined by the organization.

30. December 19, Seattle Times – (Washington) Southeast Seattle residents without phone service. A few hundred Qwest telephone customers in Southeast Seattle have lost phone service and may be without it through the weekend, a Qwest spokeswoman said Wednesday. A non-Qwest contractor in the area inadvertently drilled into a piece of Qwest equipment Tuesday, causing the outage. Qwest technicians are working to restore service but it will take time to replace the underground equipment and do the necessary splicing. “It’s not a situation where we can make a fix at one spot and everything will go on at the same time,” the spokeswoman said.

• The Associated Press reports on a fire at the White House compound in the Eisenhower Executive Office Building. Within an hour, the blaze appeared to be under control. (See item 19)

• According to Reuters, a report released on Tuesday states that the United States remains unprepared for disasters ranging from biological attacks to a flu pandemic and funding for preparedness is falling, despite five years of constant and detailed warning. (See item 22)

Information Technology

23. December 19, Computer Weekly – (International) Cisco releases first annual security report. Cisco has released its first annual report on the global state of security. The report makes several recommendations to enable organizations to protect their networks. Cisco says that although many end-of-year industry reports focus on content security threats such as viruses, worms, Trojans, spam, and phishing, its 2007 Annual Security Report broadens the areas covered with a set of seven risk-management categories. These include vulnerability, physical, legal, trust, identity, human, and geopolitical factors. Together, they encompass security requirements that involve anti-malware protection, data-leakage protection, enterprise risk management, disaster planning, and other requirements. The report makes several recommendations to organizations to enable them to protect their systems: conduct regular audits within organizations of attractive targets and evaluate the avenues that can be used to attack them; understand the notion that threats follow application usage patterns; change the mindset of employees, consumers, and citizens who consider themselves innocent bystanders, and empower them to become active against security threats; make security education a priority; institutionalize IT security education by incorporating it into school curricula; consider more than just performance when building a secure network; security suppliers need to provide comprehensive security systems that extend throughout the networkinfrastructure.

24. December 19, Computerworld – (National) Gmail open to Internet Explorer hijacks. Hackers can exploit an unpatched flaw in Microsoft’s Internet Explorer browser to access Gmail accounts, according to security firm Cenzic. Cenzic has warned Internet Explorer users that the browser contains an unspecified cached files bug that, when combined with a cross-site request forgery flaw in Gmail, exposes the webmail account sign-ons and lets others access those accounts and any messages or file attachments there. Although not a bug that can be exploited remotely -- an attacker must have local, physical access to the PC -- as Cenzic pointed out, there are scenarios where that is not a limitation. “These vulnerabilities could be exploited such that all users of a shared computer, who use Internet Explorer and share a user account -- a common practice at computer kiosks in a library or internet cafe -- could be vulnerable,” said Cenzic. Gmail contributes to the overall vulnerability because its URLs display attachments when viewed using the ‘View Source’ command, the warning added. Internet Explorer, however, sports “improper use of caching directives [and] incorrect access checks on cached Internet Explorer files.” Together, the bugs could conceivably let someone at a public PC hijack any Gmail log-on credentials that had been entered on the machine since the Internet Explorer cache had last been purged. Internet Explorer deletes the contents of its cache only as new files are added -- and the oldest are deleted -- or when the user explicitly instructs the browser to clear the cache using the ‘Delete Browsing History’ command. However, Microsoft denied that Internet Explorer even has a bug. “Microsoft has thoroughly investigated the claim and found that this is not a product vulnerability,” said a company spokesman.

25. December 19, Computer Weekly – (International) Microsoft says lottery scams are the fastest growing area of cybercrime. Microsoft commissioned a survey of 3,600 internet users across Germany, Italy, Denmark, the UK, and the Netherlands, and found that 50 percent of spam e-mails sent are lottery scams. In the UK, 20 percent of those who received lottery spam opened some messages, with 10 percent having replied to them. In addition, 13 percent have clicked on potentially malicious links inside these emails. The survey found that 3 percent of UK respondents had lost money through such lottery scams over the past 12 months, which is the same as the pan-European average. Microsoft UK’s chief security advisor said, “Internet lottery scams are one of the fastest growing areas of cybercrime. The scams are of increasing concern to international law enforcement, offering criminals a low-risk opportunity to steal money from internet users.”

26. December 18, CMP Channel – (National) VoIP threats, vulnerabilities abound. Whether their purpose is malicious, for financial gain, or just to prove it can be done, VoIP systems are a nut that hackers and exploiters can not wait to crack. As VoIP continues to proliferate into 2008, those threats will only get stronger and more sophisticated, according to a vulnerability research lead for Sipera VIPER Lab, a research team bent on identifying ways VoIP can be exploited. He said word of some VoIP threats started to spread in 2006, with toll fraud and vishing -- a VoIP version of phishing -- taking center stage. By 2007, those threats and vulnerabilities began to manifest further. In the coming year, by many accounts, exploits used to bring down VoIP systems and scam their users will continue to expand, with many exploits being used in conjunction with another to form an attack powerhouse of sorts. The biggest VoIP threats and vulnerabilities of 2007 -- remote eavesdropping, VoIP hopping, vishing, VoIP spam, toll fraud, and the Skype worm -- will again make headlines in 2008, the researcher said. The president and CEO of Warwick, Rhode Island-based solution provider Atrion Networking, said VoIP threats have evolved and grown from a “what if?” scenario into a full-blown “what now?” situation. “There will be more and more threats. It’s definitely going to grow,” he said. Security providers are stressing IT managers and others use VoIP encryption to ward off current and future threats as the use of IP grows.

27. December 18, Government Executive – (National) Land-based backup to GPS wins reprieve in spending bill. A terrestrial backup for the satellite-based Global Positioning System endorsed by a wide range of users from the aviation, marine transportation, and telecommunications industries gained a new lease on life in the fiscal 2008 omnibus spending bill passed by the House Monday. The Coast Guard had planned to terminate operation of its LORAN (for Long-Range Navigation) system, which could serve as the backbone of a GPS backup, in fiscal 2008. But language in the Homeland Security Department portion of the Consolidated Appropriations Act of 2008 denied that request. The omnibus bill said that termination would be premature, partly due to the fact that an improved version of LORAN, known as enhanced Loran or eLORAN, has been recommended as a GPS backup by the multiagency National Space Based Positioning, Navigation, and Timing Committee, whose membership includes top officials from the Defense, Homeland Security, Transportation, Commerce, and State departments, along with NASA. That committee has not publicly released its eLORAN recommendation. The Transportation Department’s Volpe National Transportation Systems Center urged development of an alternative to GPS in a 2001 report that concluded the satellite-based system could be knocked out by jamming its high-frequency low-power signals. The report suggested LORAN as a possible backup. Since the Volpe report was issued, the Coast Guard -- at the direction of Congress -- has converted most of its LORAN stations, which had a location accuracy of from one quarter of a nautical mile to one nautical mile, to eLORAN stations, which have an accuracy of between eight and 65 feet. GPS also provides precise timing signals for telecommunications companies worldwide, and they urged the Transportation and DHS to adopt eLORAN as a backup during a public comment period earlier this year.

28. December 18, PC Pro – (International) Virgin customers suffer network collapse. Virgin Media experienced a national collapse of its broadband network Monday night as a result of a glitch in its automated router maintenance service. The glitch caused Virgin Media’s servers to lose their DHCP leases, leading to the servers attempting to renew nearly three million IP addresses all at once, bringing the system to a halt. Virgin says the problem is now resolved and full service is restored. A spokesperson for the company says the length of the outage varied greatly between users, with some “getting their connections back in a few seconds, while others would have taken much longer.” “At 9:20 p.m. last night, customers in a number of regions temporarily lost connectivity to their broadband and Video on Demand services,” a statement from the company read. “This occurred as a result of an error during a routine maintenance process which affected some customers’ modems and set top boxes.”

• The Times Online reports that the personal details of three million UK learner drivers have been lost in Iowa. The UK Transport Secretary said that the data was housed on a hard drive in the Iowa City offices of Pearson Driving Assessments Ltd., a company employed by the Driver and Vehicle Licensing Agency. The Information Commissioner had said the case did not appear to present “a substantial risk” to individuals. (See item 10)

• According to the Associated Press, an error by two air traffic controllers caused a military jet and a commuter plane to fly within 3.17 miles of each other over northern Illinois. Minimum spacing between planes is 5 miles horizontally or 1,000 feet vertically; the Federal Aviation Administration said that planes were never in danger of colliding and that an investigation is ongoing. (See item 12)

Information Technology

27. December 18, Security Products – (National) Upcoming report will help protect businesses against identity theft, fraud. With the holiday shopping season in full swing, banks, card issuers, and retailers, among others, are mindful of the dangers of identity theft and the importance of protecting their customers’ personal financial data. A report coming in January will help businesses and other organizations arm themselves from the theft and fraudulent use of such information. The report is being prepared by the Identity Theft Prevention and Identity Management Standards Panel (IDSP). Sponsored by the American National Standards Institute and the Better Business Bureau and spearheaded by nine leading companies, the panel has spent the past year defining a set of cross-sector standards and best practices to address this critical issue. “The IDSP has brought together a diverse group of public and private sector interests to identify guidelines and standards-based solutions that can be used to address this critical marketplace problem 365 days per year,” said the panel’s director. The panel’s collective findings and recommendations will be issued on January 24. The IDSP will host a webinar that day to formally announce the release of the report and engage key analysts and industry leaders in a roundtable discussion of the panel’s findings. For more information about the IDSP, visit www.ansi.org/idsp.

28. December 17, Computerworld – (Ohio) Ohio e-voting system security criticized in new state report. E-voting in Ohio faces a host of potential security, equipment, and process changes following the release of an 86-page report that criticizes the existing voting systems used in the state. The report concludes that security shortcomings in Ohio’s e-voting systems are a continuing danger to the accuracy of elections there. The study was done at the request of Ohio’s secretary of state, who is in charge of the state’s elections. Between October 5 and December 7, teams of academic researchers, accredited e-voting system testing labs, and scientists evaluated the state’s existing hardware and software and made recommendations for improvements. The stakes are big for Ohio, which faces two key elections next year -- a March 4 primary election, and the November 4 general election. “The findings of the various scientists engaged by Project EVEREST are disturbing,” the report states. EVEREST is short for Evaluation & Validation of Election-Related Equipment, Standards & Testing. The main problem, according to the report, is that while security and privacy standards generally exist for critical technology systems, “unfortunately ... the computer-based voting systems in use in Ohio do not meet computer industry security standards and are susceptible to breaches of security that may jeopardize the integrity of the voting process.” The report is available in PDF form at: http://www.sos.state.oh.us/sos/info/EVEREST/00-SecretarysEVERESTExecutiveReport.pdf.

29. December 17, United Press International – (International) U.K. Olympic teams hacked from China. Chinese hackers have penetrated the Internet server used by the British Olympic canoeing team, who suspect the aim was to steal performance data to help rivals. The U.S. Olympic Committee told United Press International it was unaware of any similar attempts against American teams. Internet servers used by the British Canoe Union were penetrated in mid-October, a spokeswoman told UPI. “Our IT security consultants traced the origination (of the attacks) to China,” she said. The spokeswoman said that no data was stolen from the server during the attack, first reported Friday by the Times of London. She said while the union did not know exactly what the hackers were after, the suspicion was that they were attempting to steal performance data of the kind that might be useful to the team’s competitors. “None of our athlete information is stored on our Internet servers, for exactly that reason,” she said, adding that security had been beefed up on the group’s Web site. A U.S. Olympic Committee spokesman told UPI, “We are not aware of any entities or individuals trying to hack into our system.” He added that the committee was “happy” with its security arrangements. “We go to great lengths to guard against any compromise of our systems. We are aware of the dangers and we have a forward-looking plan to deal with them,” he said.

30. December 17, Network World – (National) Successful phishing attacks up, online survey shows. A Gartner survey shows phishing attacks against consumers in the United States have been more successful this year than last. The good news is that consumers have been able to recover their losses from phishing a bit more than they did in the past. An online survey of 4,500 adults (said to be representative of the U.S. population) showed 3.3 percent of them lost money because of a phishing attack, compared with 2.3 percent who lost money in 2006 or 2.9 percent in 2005, according to Gartner. The average dollar loss per incident declined this year to $886 from $1,244 on average in 2006. But because there were more victims, the overall loss to phishing was higher. By extrapolating the numbers out to the entire U.S. population, Gartner says it appears that 3.6 million adults lost $3.2 billion to phishing attacks in the 12 months ending in August 2007. The good news is that these phishing victims are recovering the lost money more often that they did in the past, thanks to greater help from banks and PayPal, said a Gartner analyst. “There were more victims but they’re getting more of their money back.” Pulling out the numbers to represent the United States as a whole, the Gartner survey shows some 1.6 million adults recovered about 64 percent of their losses in 2007, up from 54 percent that the 1.5 million adults recovered in 2006. PayPal and eBay continue to be “the most-spoofed brands,” the Gartner survey says. Another trend seen is that attackers are more eager to get hold of debit and check cards than credit cards because there are fewer protections for them and they are harder to catch, said the Gartner analyst.

31. December 18, Associated Press – (National) Cell phone spending surpasses land lines. 2007 is likely to be the first calendar year in which U.S. households spend more on cell phone services than on land line service, industry and government officials say. The most recent government data show that households spent $524, on average, on cell phone bills in 2006, compared with $542 for residential and pay-phone services. By now, though, consumers almost certainly spend more on their cell phone bills, several telecom industry analysts and officials said. As recently as 2001, U.S. households spent three times as much on residential phone services as they did on cell phones. But the expansion of wireless networks has made cell phones more convenient, and a wider menu of services, including text messaging, video, and music, has made it easier for consumers to spend money via their cell phone. While there are roughly 170 million land lines in use nationwide, industry officials estimate there are close to 250 million cell phones. (These figures include residential and corporate use.)

• According to USA Today, a recent midair jet engine failure that sent metal chunks exploding with violent force is prompting federal investigators to debate the need for tougher engine safety standards. The investigation has only just begun, but one possible outcome is a finding that existing protections on engines are not sufficient to prevent metal shards from being flung out of a damaged engine. (See item 12)

• The Los Angeles Times reports that the guilty pleas announced Friday in the JIS case represented an important win for the Justice Department. Authorities said the foiled plot posed a real and immediate threat, as the audacious scheme to attack more than a dozen military centers, synagogues, and other sites in Southern California was within 60 days of launching. (See item 23)

Information Technology

26. December 17, vnunet.com – (International) Sharp hike in cyber-attacks from China. Security experts have warned of a sharp hike in malicious activity coming out of China. Finjan has examined the new wave of Chinese attacks and the mechanisms used and claims to have identified an “intricate network of connections” between China-based servers run by cyber-criminals. The security firm has discovered that the entry points that initiate the attack on users “in the wild” exist all over the world and are eventually associated with servers registered as Chinese domains. The attackers are spreading the assaults by placing entry points on a variety of websites in different regions and listed differently by URL categorization engines. The infection consists of either an Iframe or a Script tag placed on the website that causes users visiting the site to be attacked. Examples for such entry point regions are shown in Finjan’s December 2007 Malicious Page of the Month Report, and were found on trusted websites in the U.S., China, and Western Europe, including government and education sites. After the victim reaches an entry point, the attackers use dynamic code obfuscation methods to limit signature-based technologies from detecting the attack. The victim is redirected to a series of sites containing Iframes that will eventually force the victim to visit a site that belongs to the Chinese network. In the first part of the actual malicious attack, the cyber-criminals use new or known exploits that will infect the victim with a crimeware Trojan. “After the initial Trojan is loaded it initiates the downloading of other Trojans from different locations. The compromised computer will then redirect to other sites in order to send statistical information about the infected PC,” the firm stated. “Finjan has discovered that different Trojans send encoded information to the same sites in China that we identified as being unique to the attack.”

27. December 15, Computerworld – (National) Apple fixes 18 flaws in Tiger’s Java. Apple Inc. has updated Java for Mac OS X 10.4, also known as Tiger, to patch 18 different vulnerabilities, including some fixed as long ago as May by Java’s maker, Sun Microsystems Inc. Apple’s newest operating system, dubbed Leopard, does not need to be patched because it includes the updated Java components. According to the accompanying advisory, Tiger’s Java, Java 1.4, and Java 2 Standard Edition 5.0 contain flaws that in some cases could lead to what Apple called “arbitrary code execution,” which means that attackers may be able to insert their own malware during an exploit and/or gain complete control of the machine. Unlike rivals such as Microsoft Corp., Apple does not rank or rate its security updates to give users an idea of the severity of the bugs. Among the 18 vulnerabilities was one discovered by 3com Corp.’s TippingPoint unit in June 2006 and another reported to Sun in October 2006 by a member of Google Inc.’s security team. TippingPoint’s flaw was fixed in January 2007, and the Google-reported bug was patched by Sun in May 2007. In both instances, updates were made available at the time for the Java components used by Windows, Linux and Solaris. But because Apple crafts the Java runtime for Mac OS X, its users were left unprotected an additional eleven and seven months, respectively. However, no exploits using either bug were reported during that time.

28. December 17, Broadbandreports.com – (National) Access problems caused by technical glitch, not net neutrality violation. When T-Mobile Customers could not access the blog hosting website Twitter over the weekend, bloggers assumed T-Mobile had blocked the site as policy and violated network neutrality. But according to Twitter, the problem was a technical one and has now been resolved. According to broadbandreports.com, last year BellSouth users complained they could not access MySpace and YouTube, leading some to issue cries of network-neutrality violation. As it turns out, the problem was completely unintentional routing issue. Similar cries of network neutrality wolf have been commonplace; Cox users who were unable to surf craigslist.com thought it was a secret Cox cabal to stop them from selling their junk (it was flaky security software), and Comcast users who could not reach Google assumed the worst (it was a DNS glitch). Some industry watchers have stressed user patience before accusing providers of policy-driven neutrality violations.

20. December 13, Reuters – (International) Russian computer program fakes chatroom flirting. Internet chatroom romantics beware: your next chat may be with a clinical computer, not a passionate person, trying to win your personal data and not your heart, an online security firm says. An Australian anti-virus software firm, PC Tools, has warned that the software could be abused by identity fraudsters trying to harvest people’s personal details online. The Russian site denied it was intended for identity fraud. A spokesman for PC Tools said the program had a “terrifyingly well-organized” interaction that could fool users into giving up personal details and could easily be converted to work in other languages. “As a tool that can be used by hackers to conduct identity fraud, CyberLover demonstrates an unprecedented level of social engineering,” a Senior Malware Analyst at PC Tools said in a statement.

21. December 13, MacWorld – (National) QuickTime update fixes security issues. Apple released an update on Thursday for QuickTime that fixes several security issues in the application. Fixed in QuickTime 7.3.1 is the application’s handling of Real Time Streaming Protocol (RTSP) headers that allowed arbitrary code execution. This security issue was found in late November and a proof-of-concept was published days after it was discovered. The final security issues fixed in this update include multiple vulnerabilities in QuickTime’s Flash media handler. With this update, the Flash media handler in QuickTime is disabled except for a limited number of existing QuickTime movies that are known to be safe, according to Apple.

22. December 12, MacWorld – (International) iPhone malware attacks set to go big in 2008? Security researchers are warning that the iPhone may generate a new cybercrime wave, becoming “a primary target for hackers in 2008.” Researchers predict drive-by attacks in which malware is embedded into seemingly harmless data or images designed to attack iPhone via its web browser. Arbor Networks warns of a rise in ‘Chinese on Chinese’ cybercrime in the year ahead, noting a dramatic increase in attacks on Chinese language-specific software. This reflects fast-paced increases in Chinese computer users and increasing organization among China’s cybercriminals. “2007 was the year of the browser exploit, the data breach, spyware, and the storm worm. We expect 2008 to be the year of the iPhone attack, the Chinese Hacker, P2P network spammers, and the hijacking of the Storm botnet,” Arbor Networks said.

Links

About Me

U.S. Army Retired Chief Warrant Officer with more than 40 years in information technology and 35 years in information security. Became a Certified Information Systems Security Professional in 1995 and have taught computer security in Asia, Canada and the United States. Wrote a computer security column for 5 years in the 1980s titled "for the Sake Of Security", penname R. E. (Bob) Johnston, which was published in Computer Decisions.
Motto: "When entrusted to process, you are obligated to safeguard"